Stratics VeteranAlumni

Firstly, scan the living daylights out of your system with a good spyware detector (Spybot Search & Destroy and Adaware for example). Or use Malwarebytes if it's got a good removal tool - I haven't used that program so I don't know what it's capable of.

From the quick search I did about Spyware.OnlineGames, it's looking for your passwords, so once you're certain you're clear and your system scans clear after a reboot, I'd change your passwords. Or use a different PC to do that ASAP so your accounts are protected.

I don't think this would have come through a patch, from what I read it's more likely to be through a bad website or some fake anti spyware program you've accidentally downloaded. Or you've had an attack of the evil popups Depending on what browser you use, it may be you have a loophole and hit an unknown site recently. Check it's up-to-date and if you're running Firefox there's a barrage of security plugins to stop dodgy scripts and so on. Worth asking in the Tech forum if you're not sure.

One thing I did do was download WoW as the boxed version we own was telling me my computer didn't meet minimum requirements, although I used to play WoW on it and reading the posted requirements I could see that it did.

Oh yes I had gotten an automatic update for my video card, an ATI, which has never happened before in the 3 years I have owned this computer. That update offered me a free trial of WoW.

I think that free trial 'window' (eeps I dont' want to say 'strange website although I guess that's what it was) was where I downloaded WoW from.

I did disable my virus protection and firewall for the 14 hours or so it took my slow dsl to dl and patch WoW.

Stratics VeteranAlumni

I'd say treat it like there is something nasty, at least to be on the safe side. The best way to be sure is to use a couple of programs to scan your system, that's what I always did when I used Windows regularly. It covers you for cases like this when you're not sure if you have infection or a software issue.

If Windows ever pops up anything you didn't expect, it's worth checking the little git hasn't picked something nasty up. Any odd errors and such too - if you can't think of a good reason for the message, always check under the hood.

What browser do you use? There should be a disable popups option in whatever you use, I'd recommend you turn that on and only disable it for trusted sites when they're not working as you expect.

It does seem that ATI were running a promotion with the WoW trial so that could be a legit popup. But if you didn't download directly from ATI themselves, it's possible that it was a spoof and by clicking it you let an infection in. Don't worry, we all do it at least a few times - sometimes just for the thrill You shouldn't have to disable firewall/AV protection for a download though, unprotecting a Windows system like that can let all sorts in. Again, only if you want a rush.

To protect yourself if you download from your browser, check your anti virus program is setup to automatically scan downloads and new files arriving on your PC. Also set it for scanning all your emails before you can open them and screw your system up If you have disabled your security stuff to download something, as soon as it's downloaded you want to scan the file(s) with your software.

Stratics Veteran

UOSASETUP_105.exe is a self-extracting RAR archive. I have extracted it in a sandbox and the only changes it makes are the ones it purports to, namely extract the game client's files to a temporary location. None of the files within the archive are infected. Malwarebytes itself also does not report a problem with the extracted files.

Additionally, UOSASETUP_105.exe is not flagged as a threat by any other leading AV scanners.

I am 100% certain that this is a false positive from Malwarebytes on the RAR archive itself and your machine is not infected.

Stratics VeteranAlumni

Unfortunately, legit filenames aren't necessarily a guarantee that the contents are safe. The best place for malware to hide is in a safe looking file that you won't suspect. All the fun ones are sneaky

To put it another way, I wouldn't be at all surprised if it's a false positive, but it never hurts to scan your Windows system and know for sure. It's a lot less painful than the results of that particular bit of malware.

Stratics VeteranAlumniStratics Legend

You all know instead of having these different types of virus protection software soem should try the new microsft secuirty essentials and its free. At one time I had many different spyware removal programs and the funny thing was some would say the other program was the spyware. I use microsoft security essentials and ccleaner on my comp nothing else. No problems since and whats nice I even come to a site that has an issue it instantly comes up with a warning, cleans my comp, and closes the site.

Stratics Veteran

Unfortunately, legit filenames aren't necessarily a guarantee that the contents are safe. The best place for malware to hide is in a safe looking file that you won't suspect. All the fun ones are sneaky

Click to expand...

Nowhere did I imply that legitimate filenames did guarantee the contents were safe, either.

Initially I observed all changes the .exe made to a system after execution through use of a decompiler and process monitor. None that I could see were suspicious and certainly not consistent with malware.

Secondly I then ran the archive past 40 AV engines of which 0 report it as a threat.

Thirdly, I executed the .exe in a sandboxed environment and isolated all files and registry changes which it produced. None were consistent with malware behavior. I then scanned these files and ran them past Malwarebytes also and even it did not report threats, which I certainly would expect it to should file(s) within the archive have been infected as it initially reported.

This, simply, is a false positive on the archive file. It isn't even detecting anything within the file as a trojan but the self-extractor itself. While it's never a bad idea to scan your system and whatnot, there is no need to spread further FUD about this file being infected. It simply isn't.

Stratics VeteranAlumni

Unless something changed since I shifted to Linux, Windows malware can still do creative things in the guise of a trusted filename. Your file and the OPs might not be 100% identical.

I'm not saying that the file is definately infected, I could be totally wrong, and I'd be happy if that was the case. But if that file has been modified by malware on the OP's system, the sooner it gets noticed the better. So, if the OP runs a few extra scans, at worst they'll yield some extra peace of mind and take up a little time. Where's the problem in that though? Better to double check than assume you're ok.

I certainly haven't intended to offend you or question your knowledge, I just didn't agree with your suggested approach.

Stratics is the oldest continually running MMORPG Fansite on the Internet. Founded in 1997 Stratics has served the Ultima Online Community for 18 years. We strive to provide the most complete social experience for Ultima Online players.